Data protection laws provide for the protection of personal privacy as they prohibit the unlawful use or disclosure of personal information. The Bahamas was one of the first Caribbean countries to enact a Data Protection (Privacy of Personal Information) Act, 2003 (DPA) and it applies to the processing of personal data by both the private and public sectors.

What is personal data?

Under the DPA personal data means “data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller.”

For example, a person’s name, home address, tax identification number etc. would be deemed personal data if it directly identifies that specific individual. Additionally, under the DPA information such as an individual’s age, billing address, place of work, or credit card details if used in conjunction with other data may be sufficient to be classified as personal data.

What is a data breach?

A data breach occurs when there is some form of unauthorized entry into an organization’s database that allows a third party/hacker to gain access to an individual’s personal data. Usually, persons engaging in such activity are doing so with the intent to commit theft or fraud but data breaches can also be the result of an accident.

Data breaches have increased rapidly over the past few years and there have been a number of high-profile cases which have affected millions of users from Yahoo in 2016 to Marriott in 2018. These data security breaches serve as a reminder to both organizations and individuals that everyone is potentially vulnerable to theft or fraud.

Tips to minimize the risk of a data breach

Check software. Data breaches can occur due to certain vulnerabilities in a database. This is why it is important for organizations to ensure they have up-to-date software and anti-virus programs so as to prevent third parties from gaining control of consumers’ data.

Get consent. It is critical that organizations obtain express consent from their consumers to collect, process and store their personal data. Consumers must therefore also be provided with all the necessary information to assist them in making an informed decision.

Implement data protection policies. Organizations should develop and integrate written data protection policies and procedures to govern how personal data is to be handled. Such policies should be clear and precise and made available to both consumers and employees. This plan should also incorporate an incident/breach response plan.

Conduct data security audits. This will ensure that an organization is adhering to both local and international data protection standards. The data security audit also provides an opportunity for an organization to assess the security procedures in place as well as assist in determining if the data being stored is still required for its proposed use.

Educate Employees. As mentioned above, sometimes security breaches may be accidental, and so even your own employees may pose a potential risk. It is therefore important to teach your employees to recognize email scams, enforce the use of strong passwords, and ultimately limit which employees have access to sensitive data.

A personal data breach can be damaging not only to the individual but also to the organization. It is therefore essential that organizations ensure that their policies align with best practices and current requirements in the area of data protection.